FAQ / Security & data

What sub-processors do you use?

Microsoft (M365 as the primary substrate, covered by your existing relationship with Microsoft) and DocuSign when customers enable the integration. We maintain the current list as part of our DPA.

The short list

The sub-processor list is deliberately short because the architecture is built on your existing M365 tenant rather than on a stack of additional cloud services:

  • Microsoft — as the underlying platform (SharePoint, Entra, Purview). Already part of your M365 relationship with Microsoft; we don’t introduce Microsoft as a new sub-processor.
  • DocuSign — only when customers enable the DocuSign PAdES integration. DocuSign’s role is signing-ceremony-only; documents return to SharePoint as the authoritative version.

What’s not on the list

  • We don’t use analytics sub-processors on your document content.
  • We don’t use hosting sub-processors beyond Microsoft’s M365.
  • We don’t use external AI/ML training providers.

GDPR Article 28 scope

For customers running GDPR programs, the Article 28 sub-processor review for our product is simple: the only net-new entity beyond your existing Microsoft relationship is DocuSign (and only if enabled). For customers not using DocuSign, our product adds zero sub-processors to your existing DPA scope.

This is a meaningful difference from platforms that come with a dozen sub-processors (analytics, hosting, CDN, monitoring, ML providers), each of which expands Article 28 scope and requires periodic review.

Current DPA

Our data-processing addendum is available to customers during contracting. The sub-processor list is part of that document; any changes are notified in advance per Article 28(2) requirements.

Deeper context

Compliance · Tier A

GDPR

More in Security & data

?

Does our data leave our Microsoft 365 tenant?

No. Documents, metadata, and audit logs all live inside your SharePoint libraries, which are inside your M365 tenant. The only exception is when DocuSign is enabled — documents transit DocuSign for the signing ceremony and return immediately.

?

Do you have access to our documents?

Our service accounts have scoped access to the libraries under governance — necessary for the integration to function. Our engineering team does not have unilateral content access; support-session access is logged when customers explicitly request troubleshooting.

?

Are you HIPAA-certified or ISO 27001-certified?

We don't position the product itself as HIPAA-certified. Microsoft signs a HIPAA BAA covering M365 tenants, and our layer inherits that posture. ISO 27001 certification at the vendor level is in progress; in the meantime, Microsoft's ISO 27001 covers the substrate.

Question not on this list?

A 30-minute assessment is usually the fastest way to get a specific answer to a specific question about your organization's profile.

Book a free assessment or see all FAQs